1 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
new file mode 100644
index 0000000000..8035ab38cb
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,170 @@
+commit bae7501e87ab614115d9d3213b4dd18d96e604db
+Author: Alan Modra <amodra@gmail.com>
+Date:   Sat Jul 1 21:58:10 2017 +0930
+    Use bfd_malloc_and_get_section
+    
+    It's nicer than xmalloc followed by bfd_get_section_contents, since
+    xmalloc exits on failure and needs a check that its size_t arg doesn't
+    lose high bits when converted from bfd_size_type.
+    
+        PR binutils/21665
+        * objdump.c (strtab): Make var a bfd_byte*.
+        (disassemble_section): Don't limit malloc size.  Instead, use
+        bfd_malloc_and_get_section.
+        (read_section_stabs): Use bfd_malloc_and_get_section.  Return
+        bfd_byte*.
+        (find_stabs_section): Remove now unnecessary cast.
+        * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+        contents on error return.
+        * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+Upstream-Status: Backport
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/binutils/nlmconv.c
+===================================================================
+--- git.orig/binutils/nlmconv.c 2017-09-21 18:14:15.792797232 +0530
+++ git/binutils/nlmconv.c      2017-09-21 18:14:15.776797105 +0530
+@@ -1224,7 +1224,7 @@
+   const char *inname;
+   asection *outsec;
+   bfd_size_type size;
+-  void *contents;
+  bfd_byte *contents;
+   long reloc_size;
+   bfd_byte buf[4];
+   bfd_size_type add;
+@@ -1240,9 +1240,7 @@
+     contents = NULL;
+   else
+     {
+-      contents = xmalloc (size);
+-      if (! bfd_get_section_contents (inbfd, insec, contents,
+-                                     (file_ptr) 0, size))
+      if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
+        bfd_fatal (bfd_get_filename (inbfd));
+     }
+ 
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 18:14:15.792797232 +0530
+++ git/binutils/objdump.c      2017-09-21 18:23:30.420895459 +0530
+@@ -180,7 +180,7 @@
+ static bfd_byte *stabs;
+ static bfd_size_type stab_size;
+ 
+-static char *strtab;
+static bfd_byte *strtab;
+ static bfd_size_type stabstr_size;
+ 
+ static bfd_boolean is_relocatable = FALSE;
+@@ -2037,33 +2037,13 @@
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
+-  /* PR 21665: Check for overlarge datasizes.
+-     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+-     this fails when using compressed sections or compressed file formats
+-     (eg MMO, tekhex).
+-
+-     The call to xmalloc below will fail if too much memory is requested,
+-     which will catch the problem in the normal use case.  But if a memory
+-     checker is in use, eg valgrind or sanitize, then an exception will
+-     be still generated, so we try to catch the problem first.
+-
+-     Unfortunately there is no simple way to determine how much memory can
+-     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
+-     limit of 2Gb.  Hopefully this should be enough for most users.  If
+-     someone does start trying to disassemble sections larger then 2Gb in
+-     size they will doubtless complain and we can increase the limit.  */
+-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+-  if (datasize > MAX_XMALLOC)
+  if (!bfd_malloc_and_get_section (abfd, section, &data))
+     {
+-      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+-                section->name, (unsigned long) datasize);
+      non_fatal (_("Reading section %s failed because: %s"),
+                section->name, bfd_errmsg (bfd_get_error ()));
+       return;
+     }
+ 
+-  data = (bfd_byte *) xmalloc (datasize);
+-
+-  bfd_get_section_contents (abfd, section, data, 0, datasize);
+-
+   paux->sec = section;
+   pinfo->buffer = data;
+   pinfo->buffer_vma = section->vma;
+@@ -2579,12 +2559,11 @@
+ /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
+    it.  Return NULL on failure.   */
+ 
+-static char *
+static bfd_byte *
+ read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr)
+ {
+   asection *stabsect;
+-  bfd_size_type size;
+-  char *contents;
+  bfd_byte *contents;
+ 
+   stabsect = bfd_get_section_by_name (abfd, sect_name);
+   if (stabsect == NULL)
+@@ -2593,10 +2572,7 @@
+       return FALSE;
+     }
+ 
+-  size = bfd_section_size (abfd, stabsect);
+-  contents  = (char *) xmalloc (size);
+-
+-  if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
+  if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
+     {
+       non_fatal (_("reading %s section of %s failed: %s"),
+                 sect_name, bfd_get_filename (abfd),
+@@ -2606,7 +2582,7 @@
+       return NULL;
+     }
+ 
+-  *size_ptr = size;
+  *size_ptr = bfd_section_size (abfd, stabsect);
+ 
+   return contents;
+ }
+@@ -2733,8 +2709,7 @@
+ 
+       if (strtab)
+        {
+-         stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
+-                                                  &stab_size);
+         stabs = read_section_stabs (abfd, section->name, &stab_size);
+          if (stabs)
+            print_section_stabs (abfd, section->name, &sought->string_offset);
+        }
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
+++ git/binutils/ChangeLog      2017-09-21 18:25:00.195937741 +0530
+@@ -4,6 +4,19 @@
+        * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
+        string whilst concatenating symbol names.
+ 
+2017-07-01  Alan Modra  <amodra@gmail.com>
+
+       PR binutils/21665
+       * objdump.c (strtab): Make var a bfd_byte*.
+       (disassemble_section): Don't limit malloc size.  Instead, use
+       bfd_malloc_and_get_section.
+       (read_section_stabs): Use bfd_malloc_and_get_section.  Return
+       bfd_byte*.
+       (find_stabs_section): Remove now unnecessary cast.
+       * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+       contents on error return.
+       * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+
+ 2017-06-30  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch new file mode 100644 index 0000000000..8035ab38cb --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,170 @@
	1	commit bae7501e87ab614115d9d3213b4dd18d96e604db
	2	Author: Alan Modra <amodra@gmail.com>
	3	Date: Sat Jul 1 21:58:10 2017 +0930
	4
	5	Use bfd_malloc_and_get_section
	6
	7	It's nicer than xmalloc followed by bfd_get_section_contents, since
	8	xmalloc exits on failure and needs a check that its size_t arg doesn't
	9	lose high bits when converted from bfd_size_type.
	10
	11	PR binutils/21665
	12	* objdump.c (strtab): Make var a bfd_byte*.
	13	(disassemble_section): Don't limit malloc size. Instead, use
	14	bfd_malloc_and_get_section.
	15	(read_section_stabs): Use bfd_malloc_and_get_section. Return
	16	bfd_byte*.
	17	(find_stabs_section): Remove now unnecessary cast.
	18	* objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
	19	contents on error return.
	20	* nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
	21
	22	Upstream-Status: Backport
	23
	24	CVE: CVE-2017-9955
	25	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
	26
	27	Index: git/binutils/nlmconv.c
	28	===================================================================
	29	--- git.orig/binutils/nlmconv.c 2017-09-21 18:14:15.792797232 +0530
	30	+++ git/binutils/nlmconv.c 2017-09-21 18:14:15.776797105 +0530
	31	@@ -1224,7 +1224,7 @@
	32	const char *inname;
	33	asection *outsec;
	34	bfd_size_type size;
	35	- void *contents;
	36	+ bfd_byte *contents;
	37	long reloc_size;
	38	bfd_byte buf[4];
	39	bfd_size_type add;
	40	@@ -1240,9 +1240,7 @@
	41	contents = NULL;
	42	else
	43	{
	44	- contents = xmalloc (size);
	45	- if (! bfd_get_section_contents (inbfd, insec, contents,
	46	- (file_ptr) 0, size))
	47	+ if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
	48	bfd_fatal (bfd_get_filename (inbfd));
	49	}
	50
	51	Index: git/binutils/objdump.c
	52	===================================================================
	53	--- git.orig/binutils/objdump.c 2017-09-21 18:14:15.792797232 +0530
	54	+++ git/binutils/objdump.c 2017-09-21 18:23:30.420895459 +0530
	55	@@ -180,7 +180,7 @@
	56	static bfd_byte *stabs;
	57	static bfd_size_type stab_size;
	58
	59	-static char *strtab;
	60	+static bfd_byte *strtab;
	61	static bfd_size_type stabstr_size;
	62
	63	static bfd_boolean is_relocatable = FALSE;
	64	@@ -2037,33 +2037,13 @@
	65	}
	66	rel_ppend = rel_pp + rel_count;
	67
	68	- /* PR 21665: Check for overlarge datasizes.
	69	- Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
	70	- this fails when using compressed sections or compressed file formats
	71	- (eg MMO, tekhex).
	72	-
	73	- The call to xmalloc below will fail if too much memory is requested,
	74	- which will catch the problem in the normal use case. But if a memory
	75	- checker is in use, eg valgrind or sanitize, then an exception will
	76	- be still generated, so we try to catch the problem first.
	77	-
	78	- Unfortunately there is no simple way to determine how much memory can
	79	- be allocated by calling xmalloc. So instead we use a simple, arbitrary
	80	- limit of 2Gb. Hopefully this should be enough for most users. If
	81	- someone does start trying to disassemble sections larger then 2Gb in
	82	- size they will doubtless complain and we can increase the limit. */
	83	-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
	84	- if (datasize > MAX_XMALLOC)
	85	+ if (!bfd_malloc_and_get_section (abfd, section, &data))
	86	{
	87	- non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
	88	- section->name, (unsigned long) datasize);
	89	+ non_fatal (_("Reading section %s failed because: %s"),
	90	+ section->name, bfd_errmsg (bfd_get_error ()));
	91	return;
	92	}
	93
	94	- data = (bfd_byte *) xmalloc (datasize);
	95	-
	96	- bfd_get_section_contents (abfd, section, data, 0, datasize);
	97	-
	98	paux->sec = section;
	99	pinfo->buffer = data;
	100	pinfo->buffer_vma = section->vma;
	101	@@ -2579,12 +2559,11 @@
	102	/* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
	103	it. Return NULL on failure. */
	104
	105	-static char *
	106	+static bfd_byte *
	107	read_section_stabs (bfd abfd, const char sect_name, bfd_size_type *size_ptr)
	108	{
	109	asection *stabsect;
	110	- bfd_size_type size;
	111	- char *contents;
	112	+ bfd_byte *contents;
	113
	114	stabsect = bfd_get_section_by_name (abfd, sect_name);
	115	if (stabsect == NULL)
	116	@@ -2593,10 +2572,7 @@
	117	return FALSE;
	118	}
	119
	120	- size = bfd_section_size (abfd, stabsect);
	121	- contents = (char *) xmalloc (size);
	122	-
	123	- if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
	124	+ if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
	125	{
	126	non_fatal (_("reading %s section of %s failed: %s"),
	127	sect_name, bfd_get_filename (abfd),
	128	@@ -2606,7 +2582,7 @@
	129	return NULL;
	130	}
	131
	132	- *size_ptr = size;
	133	+ *size_ptr = bfd_section_size (abfd, stabsect);
	134
	135	return contents;
	136	}
	137	@@ -2733,8 +2709,7 @@
	138
	139	if (strtab)
	140	{
	141	- stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
	142	- &stab_size);
	143	+ stabs = read_section_stabs (abfd, section->name, &stab_size);
	144	if (stabs)
	145	print_section_stabs (abfd, section->name, &sought->string_offset);
	146	}
	147	Index: git/binutils/ChangeLog
	148	===================================================================
	149	--- git.orig/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
	150	+++ git/binutils/ChangeLog 2017-09-21 18:25:00.195937741 +0530
	151	@@ -4,6 +4,19 @@
	152	* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
	153	string whilst concatenating symbol names.
	154
	155	+2017-07-01 Alan Modra <amodra@gmail.com>
	156	+
	157	+ PR binutils/21665
	158	+ * objdump.c (strtab): Make var a bfd_byte*.
	159	+ (disassemble_section): Don't limit malloc size. Instead, use
	160	+ bfd_malloc_and_get_section.
	161	+ (read_section_stabs): Use bfd_malloc_and_get_section. Return
	162	+ bfd_byte*.
	163	+ (find_stabs_section): Remove now unnecessary cast.
	164	+ * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
	165	+ contents on error return.
	166	+ * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
	167	+
	168	2017-06-30 Nick Clifton <nickc@redhat.com>
	169
	170	PR binutils/21665